[ start | index | login ]
start > knowledgebase > filtered webmin

filtered webmin

Created by pablo. Last edited by pablo, one year and 360 days ago. Viewed 1,693 times. #1
[edit] [rdf]
labels
attachments
We've all recently saw what happens when a popular running-as-root piece of package gets an exploit in the wild. I'm talking about webmin. Thousands of servers were compromised in a matter of days, not just in Rimuhosting, but a lot of our customers did get their VPS compromised.

Now, we can't blame the webmin developers (although they did fall for a very simple bug...), errors in software is absolutely unavoidable, sooner or later this was going to happen, and, guess what, it will happen again.

Since we know this will happen again we should wonder, is there something we can do to prevent our servers and VPS from getting compromised again? Of course there is! Do you *really* use webmin all over the internet? For the 99.9% of webmin users the answer is simply *no*, at most we use it from a couple of computers, home? the office? some remote place while we are in vacations? Yes… that's basically it...

So, I'd recommend that if you want to prevent your server from getting compromised again you whitelist webmin.

To do this you would add an allow-my-home, allow-my-office, deny-rest.

Let's set it up:

iptables -I INPUT 1 -p tcp --dport $WEBMIN_PORT -j DROP

Now, let's write an script that will add a client as an authorized user for webmin:

echo '#!/bin/bash
WEBMIN_PORT=10000
if [ "$1" != "" ]; then
        IP=$1;
else
        IP=`echo $SSH_CLIENT | cut -f1 -d" "`;
fi
if [ "$IP" = "" ]; then
        echo "Specify the IP address you want to add as allowed";
        exit;
fi
iptables -I INPUT 1 -p tcp --dport $WEBMIN_PORT -s $IP -j ACCEPT
if [ "$?" != "0" ]; then
        echo "IP not added";
else
        echo "$IP added";
fi' > /usr/bin/webmin_add
chmod 755 /usr/bin/webmin_add
echo '#!/bin/bash
WEBMIN_PORT=10000
if [ "$1" != "" ]; then
        IP=$1;
else
        IP=`echo $SSH_CLIENT | cut -f1 -d" "`;
fi
if [ "$IP" = "" ]; then
        echo "Specify the IP address you want to remove as allowed";
        exit;
fi
iptables -D INPUT -p tcp --dport 10000 -s $IP -j ACCEPT
if [ "$?" != "0" ]; then
        echo "IP not removed";
else
        echo "$IP removed";
fi' > /usr/bin/webmin_remove
chmod 755 /usr/bin/webmin_remove

Now, whenever you want to use webmin from a different computer (or IP) you would run:

webmin_add

as root, or to allow a particular IP:

webmin_add IP

When you are done using webmin run:

webmin_remove

or to stop allowing a particular IP:

webmin_remove IP

NOTE: Throughout the scripts the port 10000 has been highlighted, replace 10000 with the port where your webmin is running.

no comments | post comment
see also:
knowledgebase Security... snipsnap-search mi...
snipsnap-index we... pablo rimuhost...
glenn rimuhost... knowledgebase

>>Back To RimuHosting.com

Logged in Users: (0)
… and 17 Guests.
Recently Changed

Hot Snips

Recently Changed Weblogs
No new weblogs.

< August 2008 >
SunMonTueWedThuFriSat
12
3456789
10111213141516
17181920212223
24252627282930
31

RSS Feed

people came here from:

Powered by snipsnap.org Found a mistake in a howto? Let us know via an email to p.blikibugs at rimuhosting com.